You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2006/11/11 00:13:12 UTC

[Bug 5175] New: Correct selinux context for spamd ssl certificates

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5175

           Summary: Correct selinux context for spamd ssl certificates
           Product: Spamassassin
           Version: 3.1.4
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: spamc/spamd
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: ajbostian@virginia.edu


spamd will not start from the init script if selinux is enforcing and ssl is
enabled.  This appears to be a case of not having the correct selinux context on
the certificates.  What is the correct context?

Setup:
Fedora Core 6 (i386)
spamassassin-3.1.4-1.fc6.i386.rpm

Spamd is invoked with the options:
--daemonize --ssl --server-key /etc/pki/tls/spamd/myserver.key --server-cert
/etc/pki/tls/spamd/myserver.crt

The contents of /etc/pki/tls/spamd are:
# ls -laZ /etc/pki/tls/spamd
drwxr-xr-x  root root system_u:object_r:cert_t         .
drwxr-xr-x  root root system_u:object_r:cert_t         ..
-r--r--r--  root root system_u:object_r:cert_t         ca.crt
-r--r--r--  root root system_u:object_r:cert_t         myserver.crt
-r--r-----  root root system_u:object_r:cert_t         myserver.key

(1) With selinux set to "Enforcing" under the Fedora "Targeted" policy, spamd
fails to start from the init script with the error message:

Starting spamd: [5608] error: spamd: server key file
/etc/pki/tls/spamd/myserver.key does not exist
spamd: server key file /etc/pki/tls/spamd/myserver.key does not exist
[FAILED]

(2) Under the same conditions as (1), spamd will start when run from the command
line as root.

(3) With selinux set to "Permissive," spamd will start from the init script.

I assume that "spamc -S" is affected similarly, though I haven't tested it.

I've tried a few other selinux user contexts (root, user_u) with no success. 
Any thoughs?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5175] Correct selinux context for spamd ssl certificates

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5175


felicity@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From felicity@apache.org  2006-11-10 15:21 -------
I'm not sure what the answer is to this.  Generally for this type of problem,
you should talk to the users@ list, and I'd also consider talking to the Fedora
support groups since you're using their stuff including their SA package.

But it's not an SA bug, so closing the ticket. :)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.